Pillar Administration has been confronted by an online security flaw that has led to the exposure of the superannuation details of 568 First State Super (FSS) members.
The flaw was exposed by security specialist and OSI Security principal consultant Patrick Webster while attempting to access his own details by changing a few digits in a link to his file, but instead he was supplied with another member's data.
"When I saw the document number I actually thought it was specific to me. I expected that if I changed the number I'd get a prior report of my own, but instead it was another member's report," Webster told InvestorDaily.
Although Webster found the details of FSS members, the problem was with the administrator, he said.
"The flaw was actually in http://services.pillar.com.au - so not a specific FSS problem, but a Pillar issue," he said.
He said he did not know if any other superannuation funds serviced by Pillar were affected.
"I wasn't actually targeting them. It was accidental and unexpected, so no, I haven't looked at other super funds and I have no interest in doing so personally," he said.
"My only concern was, being a member myself, they should have better protection for myself and their other members in New South Wales."
However, after he found the problem with the website, he ran a computer program to test the site's integrity and sent the results to Pillar to point out the flaws.
Pillar did not want to say whether it had addressed the issue.
"Pillar cannot comment on arrangements with clients," Pillar Administration marketing and business development general manager Mark Blair said.
Meanwhile, FSS has had its law firm, Minter Ellison, contact Webster, demanding he hand over his computer for inspection.
Webster has been asked by Minter Ellison to sign an undertaking in which he would agree to "at the request of the trustee, allow the trustee's IT personnel to examine my computer during business hours to verify that all data and records to which I have gained unauthorised access on my computer have been destroyed or deleted".
FSS has also reported the matter to NSW police.
Webster, who worked as a senior security analyst for the NSW police force for three years protecting their systems, did not expect this reaction.
He said running such programs was a regular practice in the security industry and most companies were appreciative of the tip-off.
FSS was unavailable for comment, but the fund's chief executive, Michael Dwyer, said in an interview with Risky.Biz, which first reported on the case, that it had taken the measure because of the sheer number of member details Webster had accessed.
"He didn't tell us after accessing his file and one other file; it was a significant number of files that were downloaded and that, of course, means we have to contact all of those members that there has been a breach in security and that their files have been accessed by a third party and that they have been downloaded," Dwyer said.
"Any member of the public would like to know what has been done about that. It is incumbent upon us to make sure those files have been deleted."
Webster said he was not necessarily opposed to the super fund having a look at his computer, but he was not planning on signing the undertaking.
"The letter I am requested to sign would make me incriminate myself, as it says I agree it was unauthorised, whilst I disagree," he said.
"If I was unauthorised I would have had to bypass some kind of security control, which I did not. My supposed unauthorised access was a feature of their software.
"As soon as I sign the letter the NSW police would likely charge me."
